I am grabbing a webpage with WinHttp and the resulting page is the site's 404 file not found page. I know that the code works as I have tested it with other websites. The page in question is a normal http protocol and .html file.
What can I do?
You don't give a whole lot to go on. I'd probably start with a trace of the HTTP session from your WinHttp calls and compare it with a trace from a working browser-based session and see what's different. Could be anything from a cookie to a referer field to who-knows-what that the server might not like.
Related
I'm trying to investigate the issue as I mentioned in the subject.
I login to the application and successfully able to land on the home page of my application through my JMeter code.
When I click on "user details" tab , I should be redirected 2 times.
Successfully able to redirect for the first time. For the second redirection I'm getting 500 error code instead of 302 again.
URL for "User details" is a plain URL, doesn't come with any need of correlation.
I have cookie manager with "standard"( tried all other options also on cookie manager)
I see that - cookie value SameSite=None; is also seen at request body along with other values only during the reply of my script(I do not see this in the recorded traffic/even if I cross verify using fiddler).
Would like to know if this can be a problematic. If so how can I remove this.
Try playing with Redirect Automatically and Follow Redirects boxes in the HTTP Request sampler
if it doesn't help - be aware that you can extract the redirect URL from the Location header using Regular Expression Extractor
If you think that the problem is with the cookie you can enable debug logging for the HTTP Cookie Manager by adding the next line to log4j2.xml file (lives in "bin" folder of your JMeter installation:
<Logger name="org.apache.jmeter.protocol.http.control" level="debug" />
this way you will be able to see what's going on under the hood in jmeter.log file as it might be the case that the cookie is broken somehow (expired, wrong path, etc.)
So I found an old http page of a shopping website that doesn't have any filtering occurring. Using a proxy, I can inject whatever I want into the page, and it reflects in the application's response. If I load the same request in a browser, I get redirected to their HTTPS site. Is there any possibility of having XSS occur before the redirect happens? Or is the Javascript after the server side redirect, therefore is the reason why my payload isn't executing? I'm using a simple alert(1) which is reflected in the response on the http site, but not on the https page.
it depends on the sort or redirection, When the server redirects you, the Browser wont execute javascript code.
If its a Client side redirection with javascript your code should be executed.
I've run into a few problems with setting cookies, and based on the reading I've done, this should work, so I'm probably missing something important.
This situation:
Previously I received responses from my API and used JavaScript to save them as cookies, but then I found that using the set-cookie response header is more secure in a lot of situations.
I have 2 cookies: "nuser" (contains a username) and key (contains a session key). nuser shouldn't be httpOnly so that JavaScript can access it. Key should be httpOnly to prevent rogue scripts from stealing a user's session. Also, any request from the client to my API should contain the cookies.
The log-in request
Here's my current implementation: I make a request to my login api at localhost:8080/login/login (keep in mind that the web-client is hosted on localhost:80, but based on what I've read, port numbers shouldn't matter for cookies)
First the web-browser will make an OPTIONS request to confirm that all the headers are allowed. I've made sure that the server response includes access-control-allow-credentials to alert the browser that it's okay to store cookies.
Once it's received the OPTIONS request, the browser makes the actual POST request to the login API. It sends back the set-cookie header and everything looks good at this point.
The Problems
This set-up yields 2 problems. Firstly, though the nuser cookie is not httpOnly, I don't seem to be able to access it via JavaScript. I'm able to see nuser in my browser's cookie option menu, but document.cookie yeilds "".
Secondly, the browser seems to only place the Cookie request header in requests to the exact same API (the login API):
But, if I do a request to a different API that's still on my localhost server, the cookie header isn't present:
Oh, and this returns a 406 just because my server is currently configured to do that if the user isn't validated. I know that this should probably be 403, but the thing to focus on in this image is the fact that the "cookie" header isn't included among the request headers.
So, I've explained my implementation based on my current understanding of cookies, but I'm obviously missing something. Posting exactly what the request and response headers should look like for each task would be greatly appreciated. Thanks.
Okay, still not exactly what was causing the problem with this specific case, but I updated my localhost:80 server to accept api requests, then do a subsequent request to localhost:8080 to get the proper information. Because the set-cookie header is being set by localhost:80 (the client's origin), everything worked fine. From my reading before, I thought that ports didn't matter, but apparently they do.
I want to know when I'm using IE8 open a website (like www.yahoo.com), which API will be called by IE8? so I can hook these API to capture which website that IE8 opening currently.
When you enter a URL into the browser, the browser (usually) makes an HTTP request to the server identified by the URL. To make the request, the IP address of the server is required, which is obtained by a DNS lookup of the host (domain) name.
Once the response -- usually containing HTML markup -- is received, the browser renders it to display the webpage.
More details available here: what happens when you type in a URL in browser
So, in the general case, no "API" request as such is made. (Technically speaking, you can think of the original HTTP request to the server as an API request). The sort of "API" request you presumably mean, however, is not made in this general case just described. Those requests happens when the JavaScript executing on the page makes an Ajax HTTP request (XmlHttpRequest) to the web server to carry out some operation.
I am not sure about IE8, but the "developer tools" feature of most modern browsers (including IE9 and IE10), would let you see the Ajax HTTP requests that the webpage made as it carried out different operations.
Hope this helps.
IE uses Microsoft's WinSock library API to interact with web servers.
You may want to look for a network monitoring/sniffing API, which you could use to examine HTTP requests, and determine the URLs the browser is using.
I am sending get httpwebrequests to the facebook graph api and all was working fine till I deployed to production server and now module that expects html/xml response is not working and when tested url in internet explorer, the save file dialog pops up and the file needs to be saved.
Other modules also send requests to the facebook graph but just differ in the form of requests so not sure what is going on here.
Any ideas appreciated
Edit:
Let me try and rephrase this. On my production server the httpwebrequest was not returning the correct result. So to Test it I copied the url http://graph.facebook.com/pepsi which is an example, should return the profile info viewable in the browser. The server has internet explorer v8 and I am not sure why it tries to download the file instead of displaying it in the browser. this is what is happening in my code and when I make a request to a different part of the api, then it works in my app but not in the browser
Your question is not very clear. From what I gather, you want the display the JSON response in a browser. Instead, you are being asked to download a file by the browser.
Well, this is normal behaviour. The response you get from Facebook would most likely have a MIME type of application/json. Most newer web browsers display the text in the browser itself. Some browsers, however don't know how to handle this content type and just ask you to download the file.
You mentioned that your module expects an html/xml response. Try changing this to application/json.
You also said that it works in your app but not in your browser. I don't know what you're making, but generally you wouldn't show raw json to the user in a browser, right?